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AMENDMENTS TO THE CLAIMS 

Please amend claims 1, 12, 13, 18, and 23, such that the status of the claims is as 

follows: 

1. (Currently amended) A method for providing computer application security, the method 
comprising: 

identifying secured resources within a software application; 
grouping secured resources into user roles in a plurality of data stores on multiple 
platforms data sto re; 

creating a plurality of surrogate identifiers in the data stores data stor e, each 

surrogate identifier being associated with one user role; 
associating users with user roles, each user being associated with one user role; and 
determining access rights to the secured resources for each user according to a 
corresponding surrogate identifier without disclosing the corresponding 
surrogate identifier to the user, the corresponding surrogate identifier being 
associated with the one user role of the user. 



2. (Previously presented) The method of claim 1, wherein identifying secured resources comprises: 

identifying functions within the software application to be secured, the identified 

functions being secured resources; and 
invoking a security call before permitting access to the secured resources. 

3. (Previously presented) The method of claim 2, wherein identifying secured resources further 
comprises: 

installing an embedded module in the software application to capture the security call. 
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4. (Currently amended) The method of claim 1, wherein grouping secured resources into user roles 
comprises: 

establishing in the data stores data stor e links to each of the secured resources; 
selecting the links corresponding to related secured resources; 
grouping the selected links into user roles; and 
storing the user roles in the data stores data stor e. 

5. (Currently amended) The method of claim 1, wherein grouping secured resources into user roles 
comprises: 

establishing in the data stores data sto r e links to each of the secured resources within 

the software application; 
selecting the links corresponding to related secured resources; 
grouping the selected links into privilege sets; 
grouping privilege sets and links into user roles; and 
storing the user roles in the data stores data store . 

6. (Currently amended) The method of claim 1, wherein grouping secured resources into user roles 
comprises: 

establishing in the data stores data store links to each of the secured resources within 

the software application; 
selecting the links corresponding to related secured resources; 
grouping the selected links into privilege sets; 
grouping privilege sets and links into job functions; 
grouping job functions, privilege sets and links into user roles; 
and storing the user roles in the data stores data sto r e . 
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7. (Currently amended) The method of claim 1 , wherein creating a plurality of surrogate identifiers 
comprises: 

associating each surrogate identifier with one user role in the data stores data stor e; 
and 

replicating each surrogate identifier in the data stores data sto r e of a plurality of 
security providers security pr ovid er. 

8. (Currently amended) The method of claim 1, wherein associating a user with a user role 
comprises: 

creating a list of user identifiers corresponding to existing users on a security 

provider- 
selecting user identifiers from the list; 

storing selected user identifiers in the data stores data sto r e ; and 
associating each selected user identifier with one user role, the user role being 
undisclosed to the user. 



9. (Previously presented) The method of claim 1, wherein determining access rights to one of the 
secured resources comprises: 

authenticating the user as a valid user; and 

authorizing the user to access one of the secured resources. 

10. (Currently amended) The method of claim 9, wherein authenticating the user comprises: 

invoking programatically an embedded component within the software application 

when a secured resource is accessed; 
passing a resource name identifying the secured resource through the embedded 

component to a platform coordinator; 
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retrieving an identifier and a security provider name from the user via the platform 
coordinator; 

passing the identifier and the security provider name to a security broker; 
relaying the identifier to a security provider associated with the security provider 

name for authentication; 
evaluating automatically the identifier against one of the data stores a data sto re of 

one of a plurality of security providers th e secu r ity p r ovid er; 
returning an authentication result to the security broker; 

storing an authentication token with a time stamp in a cache of the security broker 
when authentication is successful, the authentication token created by the 
security broker based on the authentication result; 

retrieving the user role associated with the identifier from one of the data stores the 
data stor e; 

retrieving the surrogate identifier associated with the user role from one of the data 
stores th e data sto re; 

passing the surrogate identifier and a secured resource name from the security broker 

to the security provider; 
evaluating automatically the surrogate identifier against one of the data stores the 

data sto re of the s e curity provider ; 
determining automatically permissions associated with the surrogate identifier on the 

security provider; 

returning an authorization result associated with the surrogate identifier to the 
security broker; 

creating automatically a permissions token on the security broker based on the 
authorization result; 

relaying the permissions token to the platform coordinator, the permissions token 
comprising both the secured resource and access rights; 
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storing the permissions token with a time stamp in a cache on the platform 
coordinator; and 

relaying the access rights to the software application through the embedded 
component. 

1 1 . (Currently amended) The method of claim 9, wherein once the user is authenticated, authorizing 
the user comprises: 

invoking programatically an embedded component within the software application 

when a secured resource is accessed; 
passing a resource name identifying the secured resource through the embedded 

component to a platform coordinator; 
retrieving an authentication token from a cache on the platform coordinator; 
passing the authentication token and the resource name to the security broker; 
comparing the authentication token against the cache on the security broker to 

identify a matching authentication token, the matching authentication token 

being associated in the cache with the surrogate identifier; 
passing the surrogate identifier and the resource name from the security broker to the 

security provider; 

evaluating automatically the surrogate identifier against one of the data stores the 
data stor e of one of the plurality of security providers th e s e curity provid e r ; 

determining automatically permissions associated with the surrogate identifier on the 
security provider; 

returning an authorization result associated with the surrogate identifier to the 
security broker; 

creating automatically a permissions token on the security broker based on the 
authorization result; 
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relaying the permissions token to the platform coordinator, the permissions token 
comprising both the secured resource and access rights; 

storing the permissions token with a time stamp in a cache on the platform 
coordinator; and 

relaying the access rights to the software application through the embedded 
component. 

12. (Currently amended) The method of claim 9, wherein once the user is authenticated and 
authorized to access the secured resource, determining access rights to one of the secured resources 
further comprises: 

invoking programatically an embedded component within the software application 

when the secured resource is accessed; 
passing a resource name identifying the secured resource through the embedded 

component to a platform coordinator; 
retrieving an authentication token from a cache on the platform coordinator; 
comparing the secured resource name with permissions tokens stored in the cache on 

the platform coordinator for a matching permissions token, the matching 

permissions token containing the secured resource name; and 
relaying access rights associated with the matching permissions token to the software 

application through the embedded component. 

13. (Currently amended) A method for providing computer security, the method comprising: 

securing a plurality of resources within a software application; 
identifying each of the plurality of resources in a data store; 
selecting some of the plurality of resources; 
grouping selected resources into user roles in the data store; 
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creating a plurality of user names and a plurality of aliases in the data store, each user 

name and each alias being associated with the same [[one]] user role; 
replicating the plurality of resources, the user roles, the plurality of user names and 

the plurality of aliases in a plurality of data stores on different platforms : and 
determining access privileges to the plurality of resources using an alias 

corresponding to a user name by virtue of the same one user role from one of 

the plurality of data stores. 



14. (Previously presented) The method for providing computer security of claim 13, wherein 
determining access privileges comprises: 

authenticating a user on the system; and 

authorizing access rights to secured resources in the software application. 

15. (Currently amended) The method for providing computer security of claim 14, wherein 
authenticating a user comprises : 

retrieving a user identifier; 

passing the user identifier to a security provider; 

verifying the user identifier against one of the plurality of data stores a data store on 

the one of a plurality of security providers pr ovide r; and 
returning an encrypted authentication token. 

16. (Currently amended) The method for providing computer security of claim 14, wherein 
authorizing access rights comprises: 

capturing a security call from the software application, the security call containing 

a name identifying a secured resource; 
retrieving a user identifier; 
passing the user identifier to a security broker; 
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retrieving one of the plurality of aliases from the a data store of the security broker, 

the retrieved alias corresponding to the user identifier; 
passing the retrieved alias to a security provider; 

verifying the alias against one of the plurality of data stores a p r ovide r data stor e on 

the security provider ; 
returning an encrypted permissions token to the software application; and 
determining access rights to the secured resource according to the permissions token. 

17. (Previously presented) The method of claim 16 wherein retrieving a user identifier comprises: 

gathering information about a user for authorizing access to secured resources, the 
information selected from the group consisting of user name and password, 
software token, hardware token, and digital signature. 

18. (Currently amended) A computer security system comprising: 

a plurality of computer workstations, each computer workstation having an operating 

system and a software application installed, the software application 

containing an embedded component; 
a plurality of security providers on different platforms , each security provider having 

a security data store; and 
a plurality of security brokers, each security broker having a data store, each security 

broker being a computer in network communication with the computer 

workstations and the security providers; 
wherein each computer workstation is capable of communicating with each security 

broker; and 

wherein each security broker is capable of communicating with each security 
provider. 
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19. (Previously presented) The computer security system of claim 18, wherein the computer 
workstations further comprise: 

a platform coordinator installed on each workstation, the platform coordinator for 
routing permissions requests to security brokers, the platform coordinator 
capable of communicating with any one of the security brokers so that if one 
of the security brokers is unavailable, the platform coordinator can route the 
permissions requests to another security broker for proceeding with 
authentication and authorization. 

20. (Previously presented) The computer security system of claim 18, wherein the security brokers 
further comprise: 

a cache for storing an authentication token, the authentication token being used to 
retrieve a surrogate identifier associated with the authentication token. 

21 . (Previously presented) The computer security system of claim 18, wherein the security brokers 
route permissions requests programmatically to the security providers, each security broker being 
capable of routing permissions requests to any one of the security providers such that if one security 
provider is unavailable, the security broker can route permissions requests to another security 
provider. 

22. (Previously presented) The computer security system of claim 18, wherein the security system 
further comprises: 

administration utilities for configuring, updating and maintaining the data store and 
the security data store, the administration utilities providing a single software 
application for maintaining user identifiers, setting and changing permissions, 
creating security events, and tracking system usage and security events within 
the security system. 
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23. (Currently amended) A process for authorizing access rights to secured resources in a software 
application, the process comprising: 

authenticating a computer user to a computer security provider via a user identifier 
corresponding to the computer user, the computer security provider returning 
a result to a security broker according to the user identifie r, the computer 
security provider being one of a plurality of security providers on different 
platforms ; 

storing the result on the security broker; 

retrieving a surrogate identifier from the security broker, the surrogate identifier 
corresponding to the result, the surrogate identifier being undisclosed to the 
computer user; and 

authorizing the surrogate identifier to the computer security provider, the computer 
security provider returning surrogate permissions to the security broker, the 
surrogate permissions corresponding to the surrogate identifier, the surrogate 
permissions for determining access rights to secured resources in the software 
application according to the surrogate permissions. 

24. (Previously presented) The process for authorizing access rights according to claim 23, wherein 
authorizing the surrogate identifier to the computer security provider comprises: 

passing the surrogate identifier to a security manager; 

querying for the surrogate identifier in a permissions list on the security provider 

using the security manager; 
determining surrogate permissions for the surrogate identifier according to the 

permissions list; and 
returning the surrogate permissions to the security broker. 
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25. (Previously presented) The process for authorizing access rights according to claim 24, wherein 
authorizing the surrogate identifier to the computer security provider further comprises: 

passing the surrogate permissions from the security broker to a platform coordinator; 

storing the surrogate permissions with a time stamp in a cache on the platform 
coordinator; 

relaying the surrogate permissions to an embedded component within the software 
application; 

passing the surrogate permissions to a function within the software application, the 
function capable of interpreting the surrogate permission; and 

interpreting the surrogate permission using the function to permit or deny access 
rights to the secured resource. 



26. (Currently amended) The process for authorizing access rights according to claim 23, wherein 
authenticating comprises: 

passing the user identifier from the security broker to a security manager; 

querying for the user identifier in an authentication list on the computer security 
provider using the security manager; 

determining validity of the user identifier according to the authentication list; and 

returning a result to the security broker. 



